NIST Cybersecurity Framework (CSF) For Information Systems Security: NIST Cybersecurity Framework (CSF), #1

NIST

Cybersecurity Framework (CSF)

For

Information Systems Security

By

Bruce Brown, CISSP, CGRC

Sources and downloadable:

For more on the NIST CSF go to https://www.nist.gov/cyberframework

You can also check out my downloadable at http://convocourses.com/courses/nist-csf

Check us out on:

youtube.com/convocourses

Contact us:

[email protected]

Contents

One Framework to Rule them All

The Creation of The NIST Cybersecurity Framework

Definition of the NIST Cybersecurity Framework

Summary of the NIST Cybersecurity Framework Core

Functions

Categories

Subcategories

NIST CSF Core: Identify

Asset Management (ID.AM)

ID.AM-1: Hardware Inventory

ID.AM-2: Software Inventory

ID.AM-3: Network & Communication Documents

ID.AM-4: Catalog External Information systems

ID.AM-5: Resources are prioritized

ID.AM-6: Cybersecurity roles and responsibilities

Business Environment (ID.BE)

ID.BE-1: Organization's Supply Chain Role

ID.BE-2: Niche in Critical Infrastructure

ID.BE-3: Priorities of the Mission

ID.BE-4: Dependencies and Critical Functions

ID.BE-5: Delivery of Critical Services

Governance (ID.GV)

ID.GV-1: Information Security Policies

ID.GV-2: Alignment of Internal and External Cybersecurity Roles

ID.GV-3: Identify Legal & Regulatory Requirements

ID.GV-4: Management Governance, Risk and Process

Risk Assessment (ID.RA)

ID.RA-1: Asset Vulnerabilities are Identified and Documented

ID.RA-2: Cyber Threat Intelligence and Vulnerability Information

ID.RA-3: Internal and External Threat Information

ID.RA-4: Potential Business Impacts

ID.RA-5: Determine Risk

ID.RA-6: Risk Responses Prioritized

Risk Management Strategy (ID.RM)

ID.RM-1: Risk Management Process

ID.RM-2: Risk Tolerance

ID.RM-3: Role in Critical Infrastructure & Risk Tolerance

Supply Chain Risk Management (ID.SC)

ID.SC-1: Cyber Supply Chain Risk Management Processes

ID.SC-2: Identifying Partners of Critical Information Systems

ID.SC-3: Contracts in Cyber Supply Chain Risk Management

ID.SC-4: Monitor Suppliers Contractual Cybersecurity Requirements

ID.SC-5: Response, Recovery Planning and Testing with Suppliers

NIST CSF Core: Protect

Identity Management and Access Control (PR.AC)

PR.AC-1: Account Management

PR.AC-2: Physical Security Control

PR.AC-3: Remote Access

PR.AC-4: Least Privilege & Separation of Duties

PR.AC-5: Network Segregation

PR.AC-6: Personnel Security

Awareness and Training (PR.AT)

PR.AT-1: Security Awareness Training for All Users

PR.AT-2: Role-Based Training

PR.AT-3: Roles of Third-Party Vendors in Cybersecurity

PR.AT-4: C-Level Roles and Responsibilities in Cybersecurity

PR.AT-5: Security Personnel Roles and Responsibilities

Data Security (PR.DS)

PR.DS-1: Data-at-Rest

PR.DS-2: Data-in-Transit

PR.DS-3: Management of Assets

PR.DS-4: Capacity of Data Storage

PR.DS-5: Data Loss Prevention

PR.DS-6: Software Integrity Mechanisms

PR.DS-7: Development and Testing Environment

PR.DS-8 Hardware Integrity Mechanisms

Information Protection Processes and Procedures (PR.IP)

PR.IP-1: Baseline Configuration Maintained

PR.IP-2: SDLC

PR.IP-3: Configuration Change Control

PR.IP-4: Backups Maintained & Tested

PR.IP-5: Environmental Controls

PR.IP-6: Data Disposal

PR.IP-7: Protection Processes are Improved

PR.IP-8: Sharing the Effectiveness of Protection Technologies

PR.IP-9: Response Plans

PR.IP-10: Testing of Response and Recovery Plans

PR.IP-11: Cybersecurity in Human Resources Practices

PR.IP-12: Development and Implementation of a Vulnerability Management Plan

Maintenance (PR.MA)

PR.MA-1: Maintenance and Repair of Organizational Assets

PR.MA-2: Remote Maintenance of Organizational Assets

Protective Technology (PR.PT)

PR.PT-1: Log Management Policy

PR.PT-2: Removable Media Policy

PR.PT-3:  Principle of Least Functionality

PR.PT-4: Protection of Communications and Control Networks

PR.PT-5: Systems Operate in Pre-Defined Functional States

NIST CSF Core: Detect

Anomalies and Events (DE.AE)

DE.AE-1: Network Baseline

DE.AE-2: Detected Events Analysis

DE.AE-3: Aggregation and Correlation

DE.AE-4: Impact of Events

DE.AE-5: Incident Alert Thresholds

Security Continuous Monitoring (DE.CM)

DE.CM-1: Monitoring the Network

DE.CM-2: Physical Environment is Monitored

DE.CM-3: Monitoring Personnel Activity

DE.CM-4: Malicious Code Detection

DE.CM-5: Unauthorized Mobile Code

DE.CM-6: Monitoring External Service Provider

DE.CM-7: Monitoring for Unauthorized

DE.CM-8: Vulnerability Scans are Performed

Detection Processes (DE.DP)

DE.DP-1: Roles and Responsibilities for Detection

DE.DP-2: Compliance of Detection Activities

DE.DP-3: Detection Process Testing

DE.DP-4: Event Detection Communicated

DE.DP-5: Detection Continuously Improved

NIST CSF Core: Respond

RS.RP-1: Response Planning

Communications (RS.CO)

RS.CO-1: Roles and Order of Response Operations

RS.CO-2: Standards for Event Reporting

RS.CO-3: Response Plan, Information Shared

RS.CO-4: Response & Coordination with Stakeholders

RS.CO-5: Information Sharing with External Stakeholders

Analysis (RS.AN)

RS.AN-1: Notifications are Investigated

RS.AN-2: Incident Impacts are Understood

RS.AN-3: Forensics

RS.AN-4: Incident Categorization

Mitigation (RS.MI)

RS.MI-1: Incident Containment

RS.MI-2: Incidents Mitigated

RS.MI-3: New Vulnerabilities

Improvements (RS.IM)

RS.IM-1: Response Plan & Lessons Learned

RS.IM-2: Response Strategies are Updated

NIST CSF Core: Recovery

Recovery Planning (RC.RP)

RC.RP-1: Recovery Plan

Improvements (RC.IM)

RC.IM-1: Recovery Plan Lessons Learned

RC.IM-2: Recovery Strategies

Communications (RC.CO)

RC.CO-1: Public Relations

RC.CO-2: Reputation

RC.CO-3: Recovery Status

The NIST CSF Profiles

Target Profile

The NIST CSF Implementation Tiers

Tier One: Partial Implementation

Tier Two: Risk-Informed Implementation

Tier Three: Repeatable Implementation

Tier Four: Adaptive Implementation

Using the CSF

One Framework to Rule them All

A

s a cybersecurity consultant, I would help organizations decide which controls, policies and rules to apply to their systems. I would advise which sets of security controls or regulations they should use. These sets of controls are sometimes called security frameworks. These frameworks are based on laws, regulations, and industry standards. There are some for every sector from healthcare to finance to retail… you name it!

As a consultant our clients were from many different sectors. So, we needed to suggest the applicable framework. For example, if they were in the financial sector, we might suggest Sarbanes-Oxley. If they were in the healthcare industry, we might conduct an assessment to see if they had HIPAA (Health Insurance Portability and Accountability Act) implemented properly.

Typically, if they could afford our services, they were a company that was large enough to require more than one security framework.

One organization had to abide by the international framework (ISO 27001) because they had sites in the EU. And they also had systems that had to comply with the US government's rules, so they needed to use NIST 800 controls.

It can be confusing to manage all these security controls because there are hundreds of them that overlap.

One great solution to needing multiple frameworks or being flexible enough to apply new ones in the future is the NIST Cybersecurity Framework (CSF). The way CSF was designed, it allows the uses of multiple frameworks; so it could include NIST 800, ISO 27001, and HIPAA controls in related NIST CSF categories.

This book will address the CSF, its effectiveness, and how it works. The CSF is very flexible and can be used by small to large organizations regardless of country or industry because it focuses on protecting business functions that everyone needs.

The Creation of The NIST Cybersecurity Framework

D

ata breaches, malware, and vulnerability hacks have been happening since the 1980s when PCs started getting networked together and into the 90s when the World Wide Web exploded onto the scene. But around the mid-2000s, cyberattacks went viral. The growth of the dark web made criminal hacking a multibillion-dollar business, and a bunch of tools made it easier for script kiddies and people with limited programing skills to start hacking. But the party really got started when nation states and governments jumped in!

Governments started investing parts of their military budget to weaponize cyberattacks. The term Advanced persistent threats (APT) was coined to identify sophisticated, sustained attacks where adversaries gain an undetected presence on the network. These APTs are sometimes backed by governments. Most of this started between 2003 and 2010. The US government responded to this massive increase in data breaches by creating an executive order to spawn the NIST Cybersecurity Framework.

The attacks have not decreased. Governments worldwide are facing threats from cyberattacks that could disrupt critical systems. External and internal cybersecurity threats can affect power plants or chemical plants that provide resources like electrical power, pipelines for water or oil, hospitals, or other healthcare services. Agriculture, transportation, and telecommunications systems, as well as other public infrastructures, are at risk.

For better or worse, we are increasingly reliant on digital connections. Both the public and private sectors have reported breaches. It's happening in Normandy, Chile, Puerto Rico, Canada, Korea, Japan, Greece, Iran, Syria, Singapore, and everywhere.

Search the term cloudhopper to see a case where the Chinese government when after the US company Hewlett-Packard. This is not an isolated incident and it’s not just the Chinese government hacking companies or other governments to get their way.

Other horror stories include healthcare information breaches, credit cards, personal information, and genetic testing archives from genealogy websites getting exposed. The entertainment industry is not exempt. Alpha testing for video games and movie scripts are leaked prior to official release and social media sites are scraped for personal information and attacked. Other industries such as fast-food businesses, dating websites, online shopping, job boards or job search websites, and even public-oriented telecommunication systems have been exploited.

Those are the commercial data breaches that you know about via the media. There have also been various academic, financial, government, and military information breaches that are not public.

In 2013, the Executive Order (EO 13636) was issued as a voluntary, holistic framework system for cybersecurity.

This executive order was put forward to enhance cybersecurity and manage risk. The goal is to share responsibility in reducing critical infrastructure impact from threats with customizable measures.

This executive order is the reason why the NIST Cybersecurity Framework was created. It is designed to protect systems that are important to society (aka critical infrastructure) but can be used for any organization.

The CSF is voluntary and is technologically neutral. It helps promote cybersecurity practices; It can be adopted internationally. And one of the best things about it, is that it lines up with other regulations and cybersecurity frameworks.

Definition of the NIST Cybersecurity Framework

T

he NIST CSF is a voluntary system based on the best security practices and existing standards. It’s designed so that any business or organization can reduce cybersecurity risk. It also communicates risk reduction amongst different layers of the organization, from the CEO to a regular end-user. Since its introduction, the NIST CSF framework has been in high esteem because it allows cybersecurity professionals to align several security frameworks.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a set of guidelines designed to help organizations improve their security posture. The framework provides a common language for cybersecurity and the methods for assessing and managing cybersecurity risk. The CSF has five core functions: identify, protect, detect, respond, and recover.

The Cybersecurity Framework is made up of core, profiles, and implementation tiers. We will spend time deep diving into these parts of the CSF, but here is a high-level summary of each:

The Framework Core is a set of tools, controls, and methods for managing cybersecurity risks.

Framework Profiles are like a blueprint that guides a company to know what security to apply. These are tailored to specific needs. One profile might focus on protecting sensitive data (such as credit card information), while other organizations may need profiles that focus on website availability for online shopping, witness protection databases, classified Unidentified aerial phenomena data, or something else.

Implementation Tiers are the different levels of security that will be installed, configured or put in place on systems, sites, and any assets in an organization. These go from Tier 1 basic security features that are easy to put in place to Tier 3, which take a greater level of effort to implement.

The CSF can be customized to fit the unique needs of any organization.

Summary of the NIST Cybersecurity Framework Core

The NIST Cybersecurity Framework Core is a series of easy-to-understand tasks and results that guide an organization toward reducing cybersecurity risks. The Framework is also configured to work with an organization’s existing cybersecurity process for additional risk reduction.

For example, let’s say SkyPark Emergency center has an existing cybersecurity process that consists of encrypting electronically protected health information (EPHI) and other tasks for HIPAA compliance. They could use CSF together with this process. The CSF process would allow them to easily add the Payment Card Industry Data Security Standard (PCI DSS) if they had to process credit cards.

CSF is unique because it’s created to be very flexible, unlike other frameworks that are specialized for certain industries.

One of the biggest drawbacks of other security frameworks is that they are narrowly focused on the issues and attack vectors of their own industry. They have blind spots because they were made by that industry, for that industry. So, sometimes they miss the big picture that growing organizations must consider.

Credit card companies created PCI DSS for organizations that use credit cards, so a company cannot use PCI DSS for anything other than protection of point-of-sale solutions. They’ll have to use something else if they also have healthcare records. Speaking of healthcare records, HIPAA is an act designed for healthcare and ONLY healthcare.

The NIST 800 has over 1000 security controls because it is designed to protect federal systems with sensitive information. NIST 800 is a little overpowered for small organizations. But the CSF is very different because of the framework core that allows it to fit any of these situations and all industries.

The NIST Cybersecurity Framework Core is only outcome-driven with risk-aware implementations customized to a business or an organization’s needs; it doesn't mandate how an organization achieves those outcomes.

The Framework Core is organized into three separate areas, which are:

Functions

Categories

Subcategories

Functions

Functions are broad enough to fit the organization's business needs. Five high-level functions are the foundation for a comprehensive cybersecurity program: Identity, Protect, Detect, Respond, and Recover.

Identify: This means identifying assets, systems, people, and processes critical to the organization and assessing their vulnerabilities.

Protect: Implement safeguards for the critical infrastructure services and limit or contain the impact of a potential cybersecurity event.

Detect: Monitoring processes to identify potential cybersecurity events promptly.

Respond: Have response plans to address a detected cybersecurity event and mitigate its impact on the organization.

Recover: Restore any services disrupted or affected by a cybersecurity event and return to normal operations as soon as possible while improving future cybersecurity posture.

Most security frameworks have some or all but with different names. For example, CIS Critical Security Controls, NIST 800 risk management framework, ISO 27001, and many others have controls or part of their process that requires the organization to identify security. This is what makes CSF so flexible.

Categories

Each CSF function comprises multiple